Archive for April, 2009

I have recently spent some time working with Xpath queries as part of Event Log filtering in Windows Server 2008. It’s a great feature, but one limitation I found was that it doesn’t appear possible to use the starts-with() function when querying Event Logs with either the UI or Wevtutil.exe. Here’s an example.

Let’s say I enabled LDAP logging on a DC and want to filter the Directory Service event log to find all LDAP queries coming from a particular IP address. The IP address is buried in one of the Data nodes of the Event XML, as shown in red below.

So if I wanted to use Xpath to filter all events in the Directory Service Event Log from that IP address my query would look something like this:

<QueryList>

<Query Id=”0″ Path=”Directory Service”>

<Select Path=”Directory Service”>*[System[(Level=4 or Level=0) and (EventID=1644)]] and *[EventData[Data[5]=’192.168.40.10:4048′]]</Select>

</Query>

</QueryList>

The query works well, but the problem is that the Data node within the XML contains the port number (4048) in addition to the IP address. I want to find all queries issued from that client, regardless of the port used. Here’s my attempt to use the starts-with() function to filter the event.

<QueryList>

<Query Id=”0″ Path=”Directory Service”>

<Select Path=”Directory Service”>*[System[(Level=4 or Level=0) and (EventID=1644)]] and *[EventData[starts-with(Data[5],’192.168.40.10′)]]</Select>

</Query>

</QueryList>

This fails with the error “The specified query is invalid“. Back to the drawing board. I posted a question to Technet Forums and got some good help from Ivan Ting at Microsoft. He provided some Javascript that used starts-with() and this worked (after some fun messing around with default namespace issues). Being something of a Javascript muppet (the antithesis of a Javascript guru), I decided to try my hand at a Powershell version. Here’s what I came up with.

Having to write a script is more effort than simply issuing the query from within Eventvwr, but it does have the advantage of allowing you to return only the information you are interested in – and in the format that you want. Hopefully, my experience will save you a bit of time and effort if you are trying to achieve something similar.

Laura Hunter and Brian Desmond will be doing a webcast discussing and demoing the new Active Directory features in Windows Server 2008 R2 as well as answering AD questions. They have a 90 minute slot and expect to spend ~45-60 minutes on R2 and the remainder taking questions on the presentation and AD in general.

They’d love to see you there. The webcast is hosted by O’Reilly and is free to attend. If you can’t make it, a recording will be available. Here are the details:

In my last post, I provided a small batch file to support scheduled IFM dumps of an AD LDS instance. Afterwards, I realised that batch files are sooo last century and decided to have a crack at the Powershell version. I’m no Bwandon, but the script below seems to do the trick.

Microsoft Technet describes how to back up an AD LDS instance using either Windows Server Backup or Dsdbutil.exe. Interestingly, the Dsdbutil method leverages the Install From Media (IFM) feature to perform the backup. Here’s a small batch file that you can use to schedule the backup using the Task Scheduler.

If you’ve spent some time with Vista or Windows Server 2008 you’ll have noticed that there are some fundamental changes to the event viewer.One of the changes is in the way in which event logs can be filtered.In addition to the point-and-click filter selection you can now also enter an xpath query by accessing the XML tab (see screenshots below).This gives you the ability to filter using a much wider range of criteria.Basically, you can search using anything that is presented in the list of XML values.

-

The xpath queries take a bit of getting used to and as yet there don’t appear to be many publicly available examples.Here are a few to get you started.

This query searches the Security Event log for 4624 events that include a TargetUsername of “User1″ and corresponding to a logon type of “2″ (interactive).

Even though Xpath can appear a little daunting at first it is worth spending a bit of time with as it’s potentially quite powerful. As with Powershell it is something that is likely to be here to stay.

I really like the snapshot feature of Windows Server 2008 AD and have been using it quite a bit recently. This week I had my first foray into snapshotting with AD LDS. Everything is pretty much the same as for AD, the only obvious difference being that you can create the snapshots using either dsdbutil or ntdsutil with AD LDS. I was somewhat surprised then to see a nasty looking error (see below) when I fired up Dsamain.exe to expose my freshly taken AD LDS snapshot.